Distance Learning

Hey testers. It’s been a while since I have blogged last. This has mostly been because of such a massive workload, but also various personal events taking place. I normally blog when either I feel that I have something to share, or if I have a reaction to something I have learned – such as on this occasion.

CAST2015 – The Conference of the Association for Software Testing  is running as I type this, from Grand Rapids, Michigan, USA. This is the first year I have been able to monitor the live stream. This is a fantastic service, offered to allow folks who aren’t attending to listen, watch and take part (via Twitter).

I want to reflect first on yesterday’s opening keynote speech by Karen Johnson entitled “Moving Testing Forward”. This was a very personal exploration of her career, learning and life; much of which resonated with me.

This is something I have sometimes had issues with in the past, and sometimes with great detrimental effects. Without going into too much detail, I’ve been places where I have been unable to establish good working relationships, or had personal problems intrude on my working life and vice versa.

The work/life balance has always been a hard road to travel. Family, friends and other personal commitments should take priority. Whilst I was building my career often that wasn’t the case, and my personal life suffered.

I also made possibly poor choices, but yet choices that have ultimately gotten me to where I am now – a great role, testing, learning, working with great people at an exciting business. A business that does it’s best to support its employees when they have personal issues and gives them breathing space and learning opportunities to be able to craft and shape their own careers. I am very lucky.

Secondly, I’d like to reflect on the keynote from the second day by Ajay Balamurugadas, entitled “The Future of Testing”. I haven’t met Ajay yet, but I feel that I know him through his work.

As a facilitator at Weekend Testing Europe we are part of his vision to provide great learning opportunities for the entire testing community. This tweet from Maria Kedemo sums up this attitude succintly.

A long time ago I did not feel empowered at all to learn for myself. I felt that all my learning needed to come from my employer, be paid for by my employer, if they were ultimately to benefit from it. Employers invariably are businesses with their own priorities and concerns – not necessarily with the personal learning and welfare of their employees.

As Ajay said, not being able to afford to go to conferences or attend courses should never be a blocker to learning. We have blogs, books, free webinars, meetups and tester gatherings, brown bags, Skype sessions on Weekend Testing, and any number of other roads to learning.

I had an epiphany on this several years ago. I was never going to get to where I wanted to be – be a home owner, clear my student debt, start a family If I didn’t take control of that learning. So I read blogs, I joined the Software Testing Club, I started looking at the work of other testers I had heard about, I even started implementing some of their approaches and techniques. All great learning.

But to take that further and on to the next stage, I had to get away from companies that didn’t support that approach to learning. I decided to go freelance, and this I have done for about 4 years or so. Now being at New Voice Media has allowed me to expand that learning into avenues that I hadn’t thought possible, exposing me to thinking and choices that may take me away from testing to focus on security, as I do at the moment.

Thanks to the organisers of CAST and making it available to all.

Back in the game

The last few months of 2014 brought on quite a few new professional challenges. Unfortunately this means that I have been unable to do any blogging of late.

So…a quick catch up.

I’ve recently run two Weekend Testing sessions on Security Testing. The info for these are here:

http://weekendtesting.com/archives/3744

http://weekendtesting.com/archives/3804

I’ve since been invited to help run the Weekend Testing Europe chapter by Amy Phillips and Neil Studd, so keep your eyes open for future sessions! Amy is running one this week on API testing. It should be awesome. Go check out the details here and register:

http://weekendtesting.com/archives/3898

During these sessions I referred to the work of security blogger Troy Hunt. He kindly let us use his website http://hackyourselffirst.troyhunt.com/ , which also forms the subject of his two courses Hack Yourself First and Hack Your API First.

Both courses work together as a fantastic way to get to grips with some tricky concepts, which are explained clearly, succinctly, and with humour.

Often these sorts of online courses can be quite boring, heavily laden with dry facts rather than useful examples and experience. Troy draws on examples in the course material, web and mobile applications, as well as real world vulnerabilities he has discovered during his work.

I can definitely recommend both of them, which are available on Pluralsight. The courses aren’t free, but they do a trial period. It’s worth investing in them if you can. Enjoy!

Something for the weekend, sir?

In what seems to now have been a storming comeback, the European chapter of Weekend Testing was a breath of fresh air in the learning opportunities for testers. You can find a link to the latest session here. Ably facilitated by Amy Phillips (@itjustbroke) and Neil Studd (@neilstudd) the session was dynamic and a great chance to talk with other testers in a relaxed environment. I didn’t even have to leave my house!

The main focus of the session was heuristics, how we understand, use and learn from them. There is a lot of great material on what heuristics are and how they can be used to inform and drive our testing ideas and execution. I won’t dwell too much on these areas but just hope to point you to some useful material:

Elizabeth Hendrikson’s Testing Heuristics Cheat Sheet

Michael Bolton’s blog post – heuristics for understanding heuristics

Anyway, my main take away from this session was the ruts that sometimes as a tester that we might sometimes get stuck in. I chose the Constraints heuristic, utilising data type attacks upon the World Chat Clock application we were all discussing.

I found myself falling back onto what now I feel to be a bit of a party piece. I immediately decided to perform a few simple XSS and SQL Injection attacks against the application. As I expected but couldn’t be sure, was that the application’s user interface would prevent these kinds of basic security vulnerabilities from being exploited. I did ultimately find a way of injecting XSS, via OWASP Mantra, but not getting it to expose any data. The bug did however cause some interesting display and wrapping issues.

Rather than looking at the functionality, usability, accessibility and its overall purpose somehow I have begun to think the worst about the software under test before I have given myself a chance to really take the time to evaluate it critically, honestly and objectively. I immediately questioned how secure the application was before I considered any other factors.

In my work at New Voice Media, I am part of a cross functional development team, and part of a community of testing interest within the business. During this time I’ve taken onboard a lot of security testing skills, with still a lot more left to learn. It may be that I have taken these skills to heart and want to use them at any opportunity, to develop them further, to discover more about the underlying behaviour of the application under test.

Yet sometimes I feel guilty that I am not approaching the testing of software from any number of other directions, using other skills and techniques. Maybe the newer skills I have learned are higher up in my priority list in my mind before I take other approaches. So, there are of course biases at play here. I’d like to explore that further and challenge them in the future.

Perhaps this has something to do with the way I personally learn things? Early in my career everything was driven from scripts and spreadsheets. There was no impetus to learn better ways of testing, only how to get testing done faster with fewer bugs and more coverage. I was learning how to manage my testing, but not being critical of the testing I was doing, nor evaluating the testing of other people.

Now this kind of learning is the bread and butter of the testers I work with now. We learn, explore, test, check, learn some more, share, improve and the cycle continues. A much more positive way of working. It’s not without its problems, as quite rightly so, you are much more accountable for your work, justifying your choices and decisions. There is a certain level of emotional maturity that we as testers need to develop in order to sustain this cycle, be accountable, share our learning appropriately, learn well from mistakes and improve from them.

This is one of the reasons why I enjoyed Weekend Testing so much. You can’t really hide or be a silent observer. You need to get stuck in and get your hands dirty!

A couple of hours on a Sunday afternoon in the past has not been a huge cost to me, as I would only be doing a bit of housework, DIY, gardening, Scouting, sport or watching something geeky on TV. Soon though however my weekends will be taken up with the ultimate challenge of parenthood, so chances to learn with peers in a relaxed environment will become fewer and far between. More on that learning experience and how it relates to testing another time.

Weekend Testing: infinitely better and more rewarding than mowing your lawn. Thanks to Neil and Amy for running such a fun and exciting session. The same goes to the other participants for the opportunity to learn from you and the excellent conversation.